EnGarde Secure Linux Security Advisory: Pine, LIDS, and sudo

Jan 15, 2002, 05:31 (0 Talkback[s])

+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory                January 14, 2002 |
| http://www.engardelinux.org/                          ESA-20020114-003 |
|                                                                        |
| Packages: kernel / lids-base                                           |
| Summary:  There are several local vulnerabilities in the LIDS system.  |
+------------------------------------------------------------------------+

  EnGarde Secure Linux is a secure distribution of Linux that features
  improved access control, host and network intrusion detection, Web
  based secure remote management, complete e-commerce using AllCommerce,
  and integrated open source security tools.


OVERVIEW
- --------
  Recently there were several local vulnerabilities discovered in the LIDS
  system used by EnGarde Secure Linux which could allow an attacker to
  gain root, and even disable LIDS completely.


DETAIL
- ------
  Stealth of TESO recently discovered several vulnerabilities in the LIDS
  (Linux Intrusion Detection System).  The following is an outline of
  these bugs:

    1) Using the LD_PRELOAD environment variable (and potentially other
       LD_ variables), an attacker can make programs granted specific
       capabilities "leak" them to unprivileged processes.  For example,
       if there is a program granted CAP_SETUID then an attacker can gain
       root.

    2) An attacker, who has already gained root, could write directly to
       the LIDS data structures in kernel memory (using /dev/kem) and
       effectively disable LIDS.

    3) Philippe Biondi of the LIDS team also discovered that programs
       launched before LIDS is sealed keep full capabilities after the
       sealing takes place.  This allows a window of opportunity for an
       attacker to leverage the CAP_SYSRAWIO or CAPSYS_MODULE
       capabilities.

  All known LIDS bugs are fixed with this release.  In addition to new
  kernel packages, there are new 'lids-base' packages with an updated LIDS
  configuration to accommodate the kernel changes.  All users are
  recommended to upgrade immediately, following the special SOLUTION
  outlined in this advisory.


SOLUTION
- --------
  This information applies only to EnGarde Secure Linux Community edition
  users. Registered users of the EnGarde Secure Linux Professional
  edition can use the Guardian Digital Secure Network to upgrade their
  packages automatically.

  All users should upgrade to the most recent version as outlined in
  this advisory.  All updates may be found at:

    ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
    http://ftp.engardelinux.org/pub/engarde/stable/updates/

  Please read and understand this entire section before you attempt to
  upgrade the kernel.

  Initial Steps
  -------------
    1) Verify the machine is either:

       a) booted into a "standard" kernel; or
       b) LIDS is disabled (/sbin/lidsadm -S -- -LIDS_GLOBAL)

    2) Determine which kernels you currently have installed:

         # rpm -qa --qf "%{NAME}.%{ARCH}\n" | grep kernel

    3) Download the new kernels that match what you have installed
       (based on step 2) from the "UPDATED PACKAGES" section of this
       advisory.

  Installation Steps
  ------------------
    4) Install the new kernel and lids-base packages.  Because of version
       dependencies, you MUST install both the updated kernel packages and
       the new lids-base package at the same time.  The kernel packages
       will automagically update /etc/lilo.conf by commenting out any old
       EnGarde images and replacing them with the new ones:

         # rpm --replacefiles -i <kernel 1> <kernel 2> ... <lids-base>

    5) The new lids-base package will automatically update your LIDS
       configuration to work with the new kernels.  You must now re-run
       LILO by hand.  If you see any errors then open /etc/lilo.conf in
       your favorite text editor and make the appropriate changes:

         # /sbin/lilo

  Final Steps
  -----------
    6) If you did not see any LILO errors then your new kernel is now
       installed and your machine is ready to be rebooted:

         # reboot


UPDATED PACKAGES
- ----------------
  These updated packages are for EnGarde Secure Linux 1.0.1 (Finestra).

  Source Packages:

    SRPMS/kernel-2.2.19-1.0.24.src.rpm
      MD5 Sum: 18e6a28e9b97b70e4d47693a14d5bc5d

    SRPMS/lids-base-0.9.15-1.0.27.src.rpm
      MD5 Sum: 06e4e37f90072cc02ee57ef8bc342c16

  Binary Packages:

    i386/kernel-2.2.19-1.0.24.i386.rpm
      MD5 Sum: e81ed6ebea8cbbd48436dd4dca77f12b

    i386/kernel-lids-mods-2.2.19-1.0.24.i386.rpm
      MD5 Sum: 5d05f9f9bf4c18b50cb6d5bffde09218

    i386/kernel-smp-lids-mods-2.2.19-1.0.24.i386.rpm
      MD5 Sum: 8bece6223cd528772e12cfab1599625b

    i386/kernel-smp-mods-2.2.19-1.0.24.i386.rpm
      MD5 Sum: a609eae6b7505f2827ca13611dcfa5af


    i686/kernel-2.2.19-1.0.24.i686.rpm
      MD5 Sum: de36286c504b2593814ff61505afc4fc

    i686/kernel-lids-mods-2.2.19-1.0.24.i686.rpm
      MD5 Sum: b4c1232d4f77dfb7375d842659387116

    i686/kernel-smp-lids-mods-2.2.19-1.0.24.i686.rpm
      MD5 Sum: 4a719fcf119a553d11807c2d8a0c0b45

    i686/kernel-smp-mods-2.2.19-1.0.24.i686.rpm
      MD5 Sum: 7d3c6094a8c1ac1e8797c04b64ad746c


    i386/lids-base-0.9.15-1.0.26.i386.rpm
      MD5 Sum: 698cb992aa428eec3e38c220043792d7

    i686/lids-base-0.9.15-1.0.26.i686.rpm
      MD5 Sum: 337b68513574355c4c120b11b79b8726


REFERENCES
- ----------
  Guardian Digital's public key:
    http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY

  The LIDS Advisory Published by TESO:
    http://www.team-teso.org/advisories/teso-advisory-012.txt

  Credit for the discovery of these bugs goes to:
    Stealth <stealth@team-teso.net>
    Philippe Biondi <pbi@cartel-info.fr>

  LIDS' Official Web Site:
    http://www.lids.org/

  Security Contact:    security@guardiandigital.com
  EnGarde Advisories:  http://www.engardelinux.org/advisories.html

- --------------------------------------------------------------------------
$Id: ESA-20020114-003-lids,v 1.2 2002/01/14 21:36:46 rwm Exp $
- --------------------------------------------------------------------------
Author: Ryan W. Maple, <ryan@guardiandigital.com> 
Copyright 2002, Guardian Digital, Inc.




<hr>


+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory                January 14, 2002 |
| http://www.engardelinux.org/                          ESA-20020114-002 |
|                                                                        |
| Package:  pine                                                         |
| Summary:  'pine' URL handling vulnerability                            |
+------------------------------------------------------------------------+

  EnGarde Secure Linux is a secure distribution of Linux that features
  improved access control, host and network intrusion detection, Web
  based secure remote management, complete e-commerce using AllCommerce,
  and integrated open source security tools.


OVERVIEW
- --------
  There is a vulnerability in pine which can allow an attacker to execute
  arbitrary commands on a victims machine by sending them a specially-
  crafted URL which is then mishandled by pine's URL handling code.


DETAIL
- ------
  zen-parse has found a URL handling vulnerability, much like the recent
  xchat vulnerability (http://www.securityfocus.com/bid/1601), in the pine
  mail and news reader.  By sending a victim a URL of the form:

      http://address/'&/some/program${IFS}with${IFS}arguments&'
      (where ' is the backtick character)

  an attacker can execute '/some/program with arguments' on the victims
  machine.  If the victim is reading his mail as root (which is
  obviously not recommended) then this can lead to a root compromise.


SOLUTION
- --------
  This information applies only to EnGarde Secure Linux Community edition
  users. Registered users of the EnGarde Secure Linux Professional
  edition can use the Guardian Digital Secure Network to upgrade their
  packages automatically.

  All users should upgrade to the most recent version as outlined in
  this advisory.  All updates may be found at:

    ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
    http://ftp.engardelinux.org/pub/engarde/stable/updates/

  Before upgrading the package, the machine must either:

    a) be booted into a "standard" kernel; or
    b) have LIDS disabled.

  To disable LIDS, execute the command:

    # /sbin/lidsadm -S -- -LIDS_GLOBAL

  To install the updated package, execute the command:

    # rpm -Uvh <filename>

  You must now update the LIDS configuration by executing the command:

    # /usr/sbin/config_lids.pl

  To re-enable LIDS (if it was disabled), execute the command:

    # /sbin/lidsadm -S -- +LIDS_GLOBAL

  To verify the signatures of the updated packages, execute the command:

    # rpm -Kv <filename>


UPDATED PACKAGES
- ----------------
  These updated packages are for EnGarde Secure Linux 1.0.1 (Finestra).

  Source Packages:

    SRPMS/pine-4.33-1.0.6.src.rpm
      MD5 Sum: 7a6653d8814945edee9ab544afb696bc

  Binary Packages:

    i386/pine-4.33-1.0.6.i386.rpm
      MD5 Sum: 4b1d60e1e7ccb3a8a511db42877f0b15

    i686/pine-4.33-1.0.6.i686.rpm
      MD5 Sum: 995ed060b84adb05b5b274d353becd91


REFERENCES
- ----------

  Guardian Digital's public key:
    http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY

  Credit for the discovery of this bug goes to:
    zen-parse <zen-parse@gmx.net>

  pine's Official Web Site:
    http://www.washington.edu/pine/

  Security Contact:    security@guardiandigital.com
  EnGarde Advisories:  http://www.engardelinux.org/advisories.html

- --------------------------------------------------------------------------
$Id: ESA-20020114-002-pine,v 1.2 2002/01/14 18:20:07 rwm Exp $
- --------------------------------------------------------------------------
Author: Ryan W. Maple, <ryan@guardiandigital.com> 
Copyright 2002, Guardian Digital, Inc.


<hr>



+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory                January 14, 2002 |
| http://www.engardelinux.org/                          ESA-20020114-001 |
|                                                                        |
| Package:  sudo                                                         |
| Summary:  sudo can invoke the system MTA as root.                      |
+------------------------------------------------------------------------+

  EnGarde Secure Linux is a secure distribution of Linux that features
  improved access control, host and network intrusion detection, Web
  based secure remote management, complete e-commerce using AllCommerce,
  and integrated open source security tools.


OVERVIEW
- --------
  There is a vulnerability in sudo which can allow an attacker to trick
  sudo into running the system MTA with root privileges and an unclean
  environment, possibly leading to a root compromise.


DETAIL
- ------
  Sebastian Krahmer of the SuSE Security Team found a bug in sudo which
  can allow an attacker to send a failed-invocation email with root
  privileges and an unclean environment.  Using the Postfix MTA an
  attacker can potentially gain a root shell.  No other MTA is known to be
  exploitable at this time.

  We would like to reiterate that the bug is in sudo, not Postfix which is
  simply being used as a vehicle in this instance.

  This bug is fixed by having sudo run the MTA with user privileges
  instead of with root privileges.


SOLUTION
- --------
  This information applies only to EnGarde Secure Linux Community edition
  users. Registered users of the EnGarde Secure Linux Professional
  edition can use the Guardian Digital Secure Network to upgrade their
  packages automatically.

  All users should upgrade to the most recent version as outlined in
  this advisory.  All updates may be found at:

    ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
    http://ftp.engardelinux.org/pub/engarde/stable/updates/

  Before upgrading the package, the machine must either:

    a) be booted into a "standard" kernel; or
    b) have LIDS disabled.

  To disable LIDS, execute the command:

    # /sbin/lidsadm -S -- -LIDS_GLOBAL

  To install the updated package, execute the command:

    # rpm -Uvh <filename>

  You must now update the LIDS configuration by executing the command:

    # /usr/sbin/config_lids.pl

  To re-enable LIDS (if it was disabled), execute the command:

    # /sbin/lidsadm -S -- +LIDS_GLOBAL

  To verify the signatures of the updated packages, execute the command:

    # rpm -Kv <filename>


UPDATED PACKAGES
- ----------------
  These updated packages are for EnGarde Secure Linux 1.0.1 (Finestra).

  Source Packages:

    SRPMS/sudo-1.6.4-1.0.6.src.rpm
      MD5 Sum: bf14204686a62f01b429eb28d83cfd6b

  Binary Packages:

    i386/sudo-1.6.4-1.0.6.i386.rpm
      MD5 Sum: 83fceade44a6d263647653351c2acade

    i686/sudo-1.6.4-1.0.6.i686.rpm
      MD5 Sum: 8b8c9344cbc950cd9fd4f2fc1c3136f8


REFERENCES
- ----------

  Guardian Digital's public key:
    http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY

  Credit for the discovery of this bug goes to:
    Sebastian Krahmer <krahmer@suse.de>

  sudo's Official Web Site:
    http://www.sudo.ws/sudo/

  Security Contact:    security@guardiandigital.com
  EnGarde Advisories:  http://www.engardelinux.org/advisories.html

- --------------------------------------------------------------------------
$Id: ESA-20020114-001-sudo,v 1.1 2002/01/14 17:36:06 rwm Exp $
- --------------------------------------------------------------------------
Author: Ryan W. Maple, <ryan@guardiandigital.com> 
Copyright 2002, Guardian Digital, Inc.